diff options
author | Sumit Bose <sbose@redhat.com> | 2009-03-02 15:26:19 +0100 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2009-03-05 09:58:41 -0500 |
commit | 4013218cd8c9840ac6db1084bbdfa22f601bd3b8 (patch) | |
tree | 6e94bc12d427496fe49aa18469f4dc4755219a3d /sss_client | |
parent | f9f42495c5ab22e17f7e59bd2df3f9353301d8b8 (diff) | |
download | sssd-4013218cd8c9840ac6db1084bbdfa22f601bd3b8.tar.gz sssd-4013218cd8c9840ac6db1084bbdfa22f601bd3b8.tar.bz2 sssd-4013218cd8c9840ac6db1084bbdfa22f601bd3b8.zip |
added a privileged pipe
Diffstat (limited to 'sss_client')
-rw-r--r-- | sss_client/common.c | 17 | ||||
-rw-r--r-- | sss_client/sss_cli.h | 14 |
2 files changed, 24 insertions, 7 deletions
diff --git a/sss_client/common.c b/sss_client/common.c index 50aabff2..d0fb0118 100644 --- a/sss_client/common.c +++ b/sss_client/common.c @@ -29,6 +29,7 @@ #include <sys/types.h> #include <sys/socket.h> #include <sys/un.h> +#include <sys/stat.h> #include <unistd.h> #include <stdlib.h> #include <stdint.h> @@ -594,6 +595,7 @@ int sss_pam_make_request(enum sss_cli_command cmd, { int ret; char *envval; + struct stat stat_buf; /* avoid looping in the pam daemon */ envval = getenv("_SSS_LOOPS"); @@ -601,7 +603,20 @@ int sss_pam_make_request(enum sss_cli_command cmd, return PAM_SERVICE_ERR; } - ret = sss_cli_check_socket(errnop, SSS_PAM_SOCKET_NAME); + /* only root shall use the privileged pipe */ + if (getuid() == 0 && getgid() == 0) { + ret = stat(SSS_PAM_PRIV_SOCKET_NAME, &stat_buf); + if (ret != 0) return PAM_SERVICE_ERR; + if ( ! (stat_buf.st_uid == 0 && + stat_buf.st_gid == 0 && + (stat_buf.st_mode&(S_IFSOCK|S_IRUSR|S_IWUSR)) == stat_buf.st_mode)) { + return PAM_SERVICE_ERR; + } + + ret = sss_cli_check_socket(errnop, SSS_PAM_PRIV_SOCKET_NAME); + } else { + ret = sss_cli_check_socket(errnop, SSS_PAM_SOCKET_NAME); + } if (ret != NSS_STATUS_SUCCESS) { return PAM_SERVICE_ERR; } diff --git a/sss_client/sss_cli.h b/sss_client/sss_cli.h index 5445b5fa..1e19e5e2 100644 --- a/sss_client/sss_cli.h +++ b/sss_client/sss_cli.h @@ -19,6 +19,7 @@ * Also a change in one of the pipes will not affect the others */ #define SSS_NSS_SOCKET_NAME "/var/lib/sss/pipes/nss" #define SSS_PAM_SOCKET_NAME "/var/lib/sss/pipes/pam" +#define SSS_PAM_PRIV_SOCKET_NAME "/var/lib/sss/pipes/private/pam" #define SSS_PROTOCOL_VERSION 0 @@ -121,12 +122,13 @@ enum sss_cli_command { #endif /* PAM related calls */ - SSS_PAM_AUTHENTICATE = 0x00F1, - SSS_PAM_SETCRED = 0x00F2, - SSS_PAM_ACCT_MGMT = 0x00F3, - SSS_PAM_OPEN_SESSION = 0x00F4, - SSS_PAM_CLOSE_SESSION = 0x00F5, - SSS_PAM_CHAUTHTOK = 0x00F6, + SSS_PAM_AUTHENTICATE = 0x00F1, + SSS_PAM_SETCRED = 0x00F2, + SSS_PAM_ACCT_MGMT = 0x00F3, + SSS_PAM_OPEN_SESSION = 0x00F4, + SSS_PAM_CLOSE_SESSION = 0x00F5, + SSS_PAM_CHAUTHTOK = 0x00F6, + SSS_PAM_CHAUTHTOK_PRELIM = 0x00F6, }; |